PAPERmaking! g FROM THE PUBLISHERS OF PAPER TECHNOLOGY Volume 3, Number 2, 2017
manufacturers). The requirement is that for standard PLCs to be used in safety functions the PL must be limited to PL a or b when in Category B, 2 or 3, and for PL c or d to be achieved two diverse PLCs must be used in two channel architecture. In practise such as structure would not be used due to installation and maintenance efforts (two different PLCs running together) and probably also space and cost. Therefore, for PL c and above and above the obvious choice is to use safety PLCs. In section 6.2.2 reference is still made to the fact that the structure (Category) is the key characteristic having the greatest influence on the PL. The statement that it is admissible to design according to a machine-specific C-standard specifying just a Category (as was in EN 954-1) and not the PL (hence obviating the need to consider MTTF D , DC and CCF) has been removed. It is the view of the author that one should always use state of the art when defining a safety function and working with the full requirements of EN ISO 13849-1 Annex A concerns the risk analysis used to determine the required PL. It must be pointed out that the risk graph method is not mandatory, and it assumes the worst case (probability of occurrence is 100%). It is also possible to deduce the PLr by other methods, or refer to a PL stated in a machine-specific C-standard. The terms S (severity), F (frequency) and P (possibility of avoidance) remain. The term F is now better clarified as F1 seldom being accumulated exposure time being less than 1/20 of the overall operating time and the frequency not higher than once per 15 minutes – the aim of this is make sure that duration is better defined, which is very relevant to relating a safety function to a task such as maintenance and not just the number of times persons are exposed to hazards. Now consideration can also be given to the additional term probability of occurrence (which is a parameter considered in EN 62061 when determining a target SIL, but note previously considered in EN ISO 13849-1). Rather than assuming 100% there is now a statement that “where the probability of occurrence of the hazardous event can be justified as low, the PLr may be reduced by one level”. This means that after considering severity (e.g. S2 irreversible injury), frequency of exposure (e.g. F2 twice a shift) and possibility of avoidance (e.g. P2 unavoidable) the PLr would be PL e , but by using the argument that it’s actually not likely to happen you could instead select PL d. This is not a massive stretch, however, a drop from PL d to PL c is a big step, because the design requirement could change from requiring dual channel architecture such as Category 3 with Diagnostic Coverage of 60% to single channel Category 1 without any Diagnostic Coverage. This is dramatic and even more so if taking the reduction from PL c (which at a minimum requires Category 1 and the use of well-tried components) to PL b (which would remove the need to use even well tried components). It is the view of the author that the use of such a reduction could be used if a safety solution is being designed on-top of an existing control solution, but it should not be used to rectify an existing poorly designed safety function. More importantly, extreme caution should be used when applying the reduction if one has already reduced the PL r by selecting P1. Note the option to do this appears in both Sistema and PAScal software, with the warning about applying the reduction of PLr where P1 has been selected. It is probably worthy of note that anyone buying a machine should be asking the machine supplier about this, as there may be a temptation to reduce the cost of the safety-related controls and this should not be at the expense of safety! is better than using the superseded EN 954-1 and just the Category. The informative Annexes have undergone some significant changes.
Page 4 of 5
Article 10 – Pilz on Safety Controls
Made with FlippingBook - Online catalogs